Use this iptables script for Web/Mail server security

Security. Ah, security. It's the make or break for administrators on so many levels. For the Linux operating system you could go in so many directions with your security. You could go the graphical front-end and make life easy but lose some flexibility. Or you could go the far more challenging route and use the command line iptables. I will say the GUI tools have come a long way, but in some instances the ease of use the offer gets in the way of being able to granularly configure your server/network security.

When you spend a lot of time creating and administering the web/mail server combination, it's always good to have a solution that is easy to put in place. I have found one that I have used for a while now and trust its security and ease of use. This "system" uses a fairly complex iptables script that has just a single line that you will need to modify in order to have sound security for a web/mail server that serves up web pages via Apache on port 80 and mail via SMTP on port 25 and IMAP via port 143. Included in this script is the inclusion of port 25 for secure shell access.

You will be surprised how simple this script is to use. I have uploaded the script to a pastebin site which you can access using this address. Copy that script to your Linux server (for the sake of simplicity save it in ~/scripts, which you will create) and you are ready to set the system up.

Configuration

The only line you need to configure (unless you need to change the networking device name and/or want to include extra ports or remove ports from the script) is line 8. This line looks like:

SCRIPT_DIR="/PATH/TO/DIRECTORY"

What you want to have there is the location that will be filled with any IP address blocked by the firewall. For the purposes of this tutorial it will be saved in ~/scripts.

Once you have that edited you can save the file and call it start_iptables.sh. Now give the file executable permission with the command:

chmod u+x start_iptables.sh

Now create a new file called stop_iptables.sh. The contents of that file will be:

The former script will start your firewall, the latter script will stop it.

Starting this script

You can start and stop this script any time you feel like with the command:

sudo ~/scripts/start_iptables.sh

If there are no errors you should see something like:

Starting IPv4 Wall...

You can also check to see by listing all of your iptables chains with the command:

sudo iptables -L

Stopping the firewall is done with the command:

sudo ~/scripts/stop_iptables.sh

Start at bootup

Now let's make it such that the firewall script starts upon boot of the server (should the need arise). Open up the /etc/rc.local file and add the line:

/PATH/TO/scripts/start_iptables.sh

before the "exit 0" line.

Where /PATH/TO/ is the explicit path to the ~/scripts directory (you can't use "~/" in rc.local).

The script will now start at boot.

Final thoughts

This easy to install firewall will add a level of saftey to your web/mail server that would be hard to come by with a GUI tool. And if you are using a headless (console only) server, it's the only way to go.

Issue: *

Your Name:

Your Email:

Details:
*

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

About Jack Wallen

Jack has been a technical writer, covering Linux and open source, for nearly ten years. He began as an editor in chief of Linux content with Techrepublic and is now a freelance writer for numerous sites. Jack is also a writer of novels and is currently working on his first zombie fiction!

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.